I have a private AKS cluster, which is running an NGINX ingress controller that has multiple replicas for HA.
I would like to put a proxy/LB in front of NGINX ingress controller in order to have only one endpoint for end users. What my options are in this case?
I was thinking about having k8s service to proxy multiple ingress controllers.
I would like to put a proxy/LB in front of NGINX ingress controller in
order to have only one endpoint for end users.
If your service type Loadbalancer, LB is already there in front of the Nginx ingress controller.
Still, if you are looking forward to setting the Another Proxy Or LB
I was thinking about having k8s service to proxy multiple ingress
controllers.
You can try the ISTIO service mesh which will provide you the sidecar container proxy if you want multiple proxy setup.
Ref : https://istio.io/latest/blog/2019/data-plane-setup/
Either if you want to use the Nginx ingress controller, you can set up another Ingress controller, API gateway, service mesh in front of `Nginx ingress controller.
So your flow will go like :
API gateway/ingress controller/service mesh ----> Nginx ingress controller ---> k8s service --> Deployment PODs
it might get changes little if you plan to use the sidecar proxy with service mesh.
Related
I am new to Kubernetes and if I am not wrong, a service can be exposed inside the cluster using ClusterIP, and to the outside world using NodePort or LoadBalancer types. But my requirement is that I have a single container that has few REST APIs. I want that one API (the basic health check API) should be exposed to the outside, and the rest of the APIs should be available only within the cluster (accessible by other nodes). How can I achieve this?
You can keep your service as ClusterIP and use the ingress.
With ingress and ingress controller, you can setup and expose the desired path outside of cluster.
Ingress, you can install the Nginx ingress controller and create the ingress resource.
Read more about the nginx ingress controller setup and ingress reosuce setup.
I have a kubernetes objects as below:
a deployment
a service to use with that deployment in step 1
an ingress with backend paths to the service in step 2
I am using Kubernetes Engine in GCP. Once I created an ingress object, it created a load balancer as usual.
So I have my dns, and I added a A record with a domain name test1.<my-domain>.co pointing to the IP of the LoadBalancer created from the ingress
But this is not working. It doesn't load the page.
Then I tried installing ningx ingress controller, and once that is being deployed, it created another load balancer in the gcp. So, I got the IP of that newly created load balancer and switched/changed replace the DNS record IP with newly created Load Balancer's IP. And voila, it started working. So does that mean, an ingress always need an ingress controller to work?
Yes, in order for the Ingress resource to work, the cluster must have an ingress controller running. Only creating an Ingress resource has no effect.
An Ingress controller is responsible for fulfilling the Ingress, usually with a load balancer, which is what you see.
A request from the client lands up on the Ingress managed Load Balancer which is forwarded to the respective Ingress based on the host and path in the original request. Following the routing rules defined in the ingress, request is forwarded to the service from where it lands up on the backend pods.
Ingress resource creating its own Load Balancer seems to be a behaviour followed in GKE. From the GCP docs
When you specify kind:Ingress in the resource manifest, you instruct
GKE to create an Ingress resource. By including annotations and
supporting workloads and Services, you can create a custom Ingress
controller. Otherwise, GKE makes appropriate Google Cloud API calls to
create an external HTTP(S) load balancer.
You can read more about this here.
yes ingress controller is needed to serve user request comes outside the cluster.
when user sends request on load balancer IP of ingress controller ingress controller reads route from ingress resource and forward user request accordingly.
ingress resource is a part of service. means for every service you need to have ingress resource where as a ingress controller can serve multiple ingress resource.
There are mainly two ingress controller used.
nginx
contour.
you can read about them in details.
I am planning to deploy to an AKS cluster and use an NGINX ingress controller, so that my micro-services will be internal to the cluster and the NGINX ingress controller will be the entry point to the micro-services.
One of my micro-services acts as an API gateway using the Ocelot library, and it implements the BFF pattern. So my ingress controller will have only one rule which will route requests made to the path "/(.*)" to the API gateway micro-service.
My question is - is this the conventional way to use an ingress controller and an API gateway micro-service? Somehow it feels redundant, although I could think that both have different responsibilities.
I don't think you would need an Ingress-Controller in this case, we use an API Gateway which is Ambassador and we simply have a public IP assigned to its kubernetes service.
If you don't expect other pods to expose themselves using Ingress objects, and that all traffic will be coming in your API gateway, I would simply drop the Ingress-controller and enable a Service of Type LoadBalancer for your API gateway pods
I have a kubernetes cluster created. According to security policies in the company, I need to have first an application gateway WAF in front that hits the cluster (which has a public IP). And as an ingress controller for this cluster I need to configure a Nginx ingress controller (also has a public IP). How can I connect or point the waf to the ingress controller? Is this possible to be done?
Thanks!
Native support for Nginx ingress controller is with a load balancer and not with app gateway. One possible approach is to create a nginx ingress controller loadbalancer as private using this link docs.
Now add this private Ip of load balancer as the backend pool of app gateway and now your app gateway should start serving the traffic from aks cluster.
The App gateway ingress controller as suggested by another comment is GA now but still is buggy. It takes time to update the backend pools on deploying new pods.
I've been using Kubernete's LoadBalancer type service for incoming traffic on AWS. However, it is hard to terminate SSL at a service level, thus the idea of using an Ingress.
However, a LoadBalancer service allows us to make as many rolling changes as we like to our deployments without having to configure our DNS. By using Ingress, you can only use NodePort and while we would like to use Ingress, mapping DNS to new node when the pod is deployed on another node is a problem.
Is there a way to point a Kubernetes to point to an Ingress controller or use a service type LoadBalancer with an Ingress controller to terminate SSL.
We do not want to put our SSL certificates in a container, which is why this trouble.
Is there a way to point a Kubernetes to point to an Ingress controller or use a service type LoadBalancer with an Ingress controller to terminate SSL.
You can simply deploy the on metal (nginx, haproxy, traefic...) ingress controllers as a pod/daemonset/rc in your cluster, and front it with a service of type=loadbalancer. You can find these controllers in various places like: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx, https://libraries.io/go/github.com%2Ftimelinelabs%2Fromulus, https://github.com/containous/traefik/blob/fa25c8ef221d89719bd0c491b66bbf54e3d40438/docs/toml.md#kubernetes-ingress-backend,